| View previous topic :: View next topic |
| Author |
Message |
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
 Posted: Mon Dec 26, 2005 5:09 am Post subject: Student Apache Iptables [solved] |
 |
|
Ok I'm trying to learn apache. I seem to have it blocked with Iptables however... someone tell me what's wrong in my firewall script. thx. | Code: | #!/bin/bash
IPTABLES='/sbin/iptables'
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# RULE
$IPTABLES -P INPUT DROP #1
# SSH server
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #2
#allow access to the HTTP Server
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT #3
$IPTABLES -A INPUT --protocol tcp --dport 443 -j ACCEPT
# allow access to samba (netbios)
$IPTABLES -A INPUT --protocol udp --dport 137 -j ACCEPT #4
$IPTABLES -A INPUT --protocol udp --dport 138 -j ACCEPT #5
$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT #6
# allow access to instant messangers
# MSN messenger
#line 1 is the messenger line 2 is file transfer
$IPTABLES -A INPUT --protocol tcp --dport 1863 -j ACCEPT #7
$IPTABLES -A INPUT --protocol tcp --dport 6891 -j ACCEPT #8
#
# AIM line 1 is the messenger
$IPTABLES -A INPUT --protocol tcp --dport 5190 -j ACCEPT #9
#
# Yahoo Messenger
# line 1 is the messenger line 2 is file transfer
$IPTABLES -A INPUT --protocol tcp --dport 5050 -j ACCEPT #10
$IPTABLES -A INPUT --protocol tcp --dport 4443 -j ACCEPT #11
# accept loopback connections
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT #12
# accept related and established packets
$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT#13
# accept rcsync
$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 873 -j ACCEPT #14
$IPTABLES -A INPUT -i eth0 --protocol udp --dport 873 -j ACCEPT #15
# accept Limewire
$IPTABLES -A INPUT -i eth0 --protocol tcp --dport 6346 -j ACCEPT
$IPTABLES -A INPUT -i eth0 --protocol udp --dport 6346 -j ACCEPT
# block invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP #16
|
and if anyone can tell me if my firewall is an otherwise good one I'd appreciate it. oh and I may be posting other questions's here about my server in the next couple of days. I need to learn this for the linux+ test.
Last edited by XenoTerraCide on Tue Dec 27, 2005 11:32 pm; edited 1 time in total |
|
| Back to top |
|
 |
groovin
Guru
Joined: 07 Feb 2004
Posts: 429
Location: California, USA
|
| Posted: Mon Dec 26, 2005 6:08 am Post subject: |
|
|
shouldnt u have:
| Code: | | $IPTABLES -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -J ACCEPT |
so iptables knows how to get out? i found this one on google because im not an iptables kinda guy =).
if that doesnt help, perhaps ethereal can give you some clues?
otherwise, bring on the other questions! |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Mon Dec 26, 2005 7:33 am Post subject: |
|
|
I don't see anything immediately wrong with your ruleset. Can you get to your webserver after turning iptables off?
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 4:18 pm Post subject: |
|
|
| yeah I can that's how I know Iptables is blocking it. as far as getting out that I wouldn't think that's the problem because I don't have anything blocking outgoing packet's, I am however intending to write that part of the firewall at some point. it just hasn't seemed important yet. I'm gonna make a link to a year old post see if I can't get some of the people who helped me with the writing of the firewall over here. |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Mon Dec 26, 2005 5:08 pm Post subject: |
|
|
Can you run
iptables -L -n -v
and paste output please. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 5:16 pm Post subject: |
|
|
| Code: | Chain INPUT (policy DROP 48 packets, 8224 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6891
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443
0 0 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0
1175 135K ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:873
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6346
1 59 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6346
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2263 packets, 174K bytes)
1179 89879 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
|
that what you want? |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Dec 26, 2005 7:04 pm Post subject: |
|
|
Depending on your configuration (web-client and/or nameserver on the same machine) you should consider to add a INPUT rule for udp/53.
BTW: If you are connected to the internet and not only testing locally, you should restrict netbios (Samba) to your local net. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 7:30 pm Post subject: |
|
|
| bagh... I don't even have samba running and I never did get it working with this firewall up either... I wrote this back when I was living on campus with a large lan... and I haven't bothered to take that out... um... I'm not hosting the nameserver... is there anyway and I'm 99% sure the answer is yes to check which ports are being used when the firewall is down? I could probably use that to rewrite my Iptables script. |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Mon Dec 26, 2005 7:34 pm Post subject: |
|
|
These rules work: iptables-restore < /var/lib/iptables/rules-save
| Code: | *nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s your.ip.address.hereCHANGETHIS!! -i eth0 -j ACCEPT
# Gentoo Rsync for the "emerge --sync" command.
-A INPUT -s 62.197.40.130 -p tcp --dport 873 -i eth0 -j ACCEPT
-A INPUT -s 134.184.49.5 -p tcp --dport 873 -i eth0 -j ACCEPT
-A INPUT -s 82.129.5.25 -p tcp --dport 873 -i eth0 -j ACCEPT
# Bind DNS server - port 53.
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Apache web server - port 80.
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
# Apache web server SSL - port 443.
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT
# Postfix email server - port 25.
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 25 -j ACCEPT
# Email using SSL - port 465.
-A INPUT -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 465 -j ACCEPT
COMMIT |
_________________
Improve your font rendering and ALSA sound |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 7:57 pm Post subject: |
|
|
| interesting inputing those rules doesn't work... huh... I still say i need to figure out what's active and what isn't. maybe it's in my httpd.conf... still I didn't change any port rules from default... |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 8:04 pm Post subject: |
|
|
| well I know it's the input chain... I just changed the rules on that from drop to accept and it works... so where in input is it... why isn't it working. |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Mon Dec 26, 2005 8:18 pm Post subject: |
|
|
It could be the kernel config - does this show "=y" or "=m":
| Code: | | grep CONFIG_IP_NF_MATCH_STATE /usr/src/linux/.config |
|
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 8:23 pm Post subject: |
|
|
running that command as is show's | Code: | | CONFIG_IP_NF_MATCH_STATE=y |
so... y |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Dec 26, 2005 8:53 pm Post subject: |
|
|
| PaulBredbury wrote: | | -A INPUT -s your.ip.address.hereCHANGETHIS!! -i eth0 -j ACCEPT |
| XenoTerraCide wrote: | | interesting inputing those rules doesn't work... |
XenoTerraCide, have you changed this part: "your.ip.address.hereCHANGETHIS!!" ?
The rules by Paul Bradbury are in the format that is used by iptables-save. Have you used iptables-restore to read them in ?
| XenoTerraCide wrote: | | I still say i need to figure out what's active and what isn't. |
Use netstat, nmap and similar tools.
Here's a simple example to find out on which port the print server is listening:
| Code: | # netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 2453 1464/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 2560 15578/gpm /dev/gpmctl
# /etc/init.d/cupsd start
* Starting cupsd ... [ ok ]
# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 6155/cupsd
udp 0 0 0.0.0.0:631 0.0.0.0:* 6155/cupsd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 2453 1464/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 2560 15578/gpm /dev/gpmctl
|
If you have compiled your kernel properly, you can use the LOG target to analyze your rules with syslog(-ng). |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 8:57 pm Post subject: |
|
|
| umm... I emerged ethereal... but I'm not really sure how it's supposed to help me groovin. I haven't used it before. as good as time as any to learn it cause I know it's on the test... I don't want to fail the test a second time... |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 9:11 pm Post subject: |
|
|
| yeah... I changed the line... before I posted... I forgot to at first and it complained at me. and I read them in with iptables restore. I'll look at the other stuff you have in ur post kadeux. for anyone who would like to try... the page I'm trying to host is at http://xenoterracide.dtdns.net right now all that should say is hello world. but if I have the firewall up it won't pull anything up... the apache index.html is there as well. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 9:27 pm Post subject: |
|
|
| Code: | SLAVE-I ~ # iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1528 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 67.185.188.6 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 62.197.40.130 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 134.184.49.5 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 82.129.5.25 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
419 49007 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:25
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:465
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 422 packets, 30361 bytes)
pkts bytes target prot opt in out source destination |
just for confirmation. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 9:31 pm Post subject: |
|
|
from netstat -anp | Code: | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
31218/apache |
that's just the apache entry I have others. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 9:46 pm Post subject: |
|
|
| Code: | Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31218/apache
tcp 0 0 67.185.188.6:44906 205.188.210.131:5190 ESTABLISHED 7701/gaim
tcp 0 0 67.185.188.6:42963 205.188.7.126:5190 ESTABLISHED 7701/gaim
tcp 0 0 67.185.188.6:52503 72.14.205.19:80 ESTABLISHED 29613/firefox-bin
tcp 0 0 67.185.188.6:48125 207.46.0.89:1863 ESTABLISHED 7701/gaim
tcp 0 0 67.185.188.6:55518 216.155.193.131:5050 ESTABLISHED 7701/gaim
tcp 0 1 67.185.188.6:34092 67.185.188.6:80 SYN_SENT 29613/firefox-bin
tcp 0 0 67.185.188.6:46298 63.240.93.147:80 ESTABLISHED 29613/firefox-bin
udp 103284 0 0.0.0.0:68 0.0.0.0:* 6608/dhcpcd
|
|
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Dec 26, 2005 10:39 pm Post subject: |
|
|
| Quote: | | 72.14.205.19:80 ESTABLISHED 29613/firefox-bin |
OK, so you are google'ing as a client on the machine which is your server when you make that screenshot: 
| Quote: |
Result of 'dig 19.205.14.72.in-addr.arpa. A':
; <<>> DiG 9.3.1 <<>> 19.205.14.72.in-addr.arpa. A
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3736
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;19.205.14.72.in-addr.arpa. IN A
;; AUTHORITY SECTION:
205.14.72.in-addr.arpa. 180 IN SOA ns1.google.com. dns-admin.google.com.
|
You could not connect to your web server with a webbrowser on the same machine when the firewall is up, right ?
..and you are not running a local dns server.
Thus your firewall setup needs a rule for DNS lookups to an external nameserver. To get answers from your nameserver, add the following rule:
| Code: | $IPTABLES -A INPUT -p udp -m udp -s $NAMESERVER --sport 53 -d 0/0 -j ACCEPT
|
(Replace the variable $NAMESERVER, look in /etc/resolv.conf or maybe in your router settings)
Have you tried to connect to your webserver based on the ip address instead of the server name before ?
BTW: Using a publicly accessable Server additionally for browsing/messaging is not very secure.  |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 11:15 pm Post subject: |
|
|
| typing in the IP address doesn't work either. and if I were having dns problems wouldn't I have trouble finding anything by a domain name when the firewall is up? I have the firewall up right now feel free to tell me if you can access it. http://xenoterracide.dtdns.net/ funny I can access http://xenoterracide.dtdns.net/index.html now I don't think I could before with the firewall up. but still can't access the helloworld page. ...oh and I inserted your rule. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 11:23 pm Post subject: |
|
|
| oh and btw... this server... is my desktop... I like security, but it's not like this contains anything critical, this machine is half server, half toy. and the only person I'm serving for is me. and that's for educational purposes right now anyway. however I kinda would like to have the firewall work... along with everything else because I'm going to have my windows laptop behind the firewall at somepoint and I'm tired of getting nailed by worms. |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Mon Dec 26, 2005 11:33 pm Post subject: |
|
|
| http://xenoterracide.dtdns.net/ wrote: | | Code: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body>
hello world
</body>
</html>
|
|
IP 67.185.188.6
I can access both pages. If your firewall is up (..and no, I will not pentesting your box  ), your server/rules works as expected. |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 11:36 pm Post subject: |
|
|
| ok... so you can see it... why can't I?... make no sense... |
|
| Back to top |
|
|
XenoTerraCide
Veteran
Joined: 18 Jan 2004
Posts: 1418
Location: MI, USA
|
| Posted: Mon Dec 26, 2005 11:39 pm Post subject: |
|
|
| wait... did it show up as html code by default or did you view the code or something? |
|
| Back to top |
|
|
|
Networking & Security
